Our goal was to fix as many high-risk vulnerabilities throughout the GitHub Open Source project portfolio as we could with a minimum of effort. The intent was to simulate portfolio wide remediation in a large and diverse organization within a context that allows sharing concrete statistics and experiences.
Fixing XSS throughout a portfolio of applications is more challenging than fixing a single application. In addition to the remediation work required for a single application, fixing a portfolio requires getting developer buy in, complying with various coding style guides, integration with each project’s existing processes, testing, metrics, and more.
This presentation will discuss how we did it, lessons learned, as well as some alternatives. Three things that made our scaling approach unusual was:
1) Focusing on risk broadly across application portfolios instead of a single application.
2) Focusing on adding missing security controls instead of the exploitability of vulnerabilities.
3) Automating JSP source code modification
We will compare the approach that we used on this project to more traditional manual and automated techniques that focus on vulnerability detection, as well as scaling through training, and scaling through building offshore capabilities.